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Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application. 

1-20. (cancelled) 

21. (currently amended) A system comprising: 

a network; and 

one or more machines coupled with the network, each machine comprising a 
communication interface and a memory including an execution area configured to 
perform operations to examine a set of instructions embodying an invoked application to 
identify the invoked applicatio n, wherein to examine the set of instructions comprises to 
apply a hash fimction to the set of instructions to generate a condensed representation and 
to compare the condensed representation with existing condensed representations for 
known applications , obtain application-specific intrusion criteria, the application-specific 
intrusion criteria including intrusion signatures and behavior criteria, and monitor 
network communications for the invoked application for application-specific intrusion 
signatures and abnormal application behavior to detect an intrusion. 

22. (original) The system of claim 21, wherein the application-specific intrusion criteria 
comprises a normal communication behavior threshold. 



23. (cancelled) 
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24. (previously amended) The system of claim 21, wherein to monitor network 
communications comprises to monitor network communications in a network intrusion 
detection system component running in an execution context with the invoked 
application. 

25. (previously amended) The system of claim 24, wherein the operations further 
comprise to provide an application-specific remedy for a detected intrusion. 

26. (previously amended) The system of claim 25, wherein to provide an application- 
specific remedy comprises cutting at least a portion of the network communications for 
the invoked application. 

27. (previously amended) The system of claim 24, wherein each machine further 
comprises a local repository and a security operation center, the security operation center 
includes a master repository, and wherein to obtain the application-specific intrusion 
criteria comprises to: 

request the application-specific intrusion criteria from the local repository; 

request the application-specific intrusion criteria from the master repository if the 
application-specific intrusion criteria is unavailable in the local repository; 

receive the application-specific intrusion criteria from the master repository if 
requested; and 

receive the application-specific intrusion criteria from the local repository. 
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28-30. (cancelled) 

3 1 . (currently amended) A detection method, comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked applicatio n, wherein examining the set of instructions comprises applying a hash 

function to the set of instructions to generate a condensed representation and comparing 
the condensed representation with existing condensed representations for known 
applications : 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 

monitoring network communications for the invoked application for appUcation- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 

32. (cancelled) 

33. (original) The method of claim 31, wherein network communications are monitored 
for application-specific intrusion signatures that correspond to the identified invoked 
application. 

34. (original) The method of claim 31, further comprising unloading the application- 
specific intrusion signatures corresponding to the identified invoked application when the 
identified invoked application is terminated. 
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35. (original) The method of claim 31, further comprising tracking one or more 
characteristics of the network communications to identify application-specific abnormal 
communication behavior. 

36. (original) The method of claim 35, wherein tracking one or more characteristics of the 
network communications comprises comparing the one or more characteristics with one 
or more configurable thresholds. 

37. (original) The method of claim 35, wherein monitoring network communications 
comprises monitoring network communications in a network intrusion detection system 
component invoked with the invoked application. 

38. (original) The method of claim 37, wherein the network intrusion detection system 
component and the invoked application run within a single execution context. 

39. (original) The method of claim 31, further comprising operations to provide an 
application-specific remedy for a detected intrusion. 

40. (original) The method of claim 39, wherein operations to provide an application- 
specific remedy for a detected intrusion comprises cutting at least a portion of the 
network communications for the invoked appUcation and/or notifying a system 
administrator of the identified application-specific abnormal communication behavior. 
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41. (original) The method of claim 31, wherein obtaining the application-specific 
intrusion detection signature comprises loading the application-specific intrusion 
detection signature from a local signature repository. 

42. (original) The method of claim 31, wherein obtaining the application-specific 
intrusion detection signature comprises: 

requesting the application-specific intrusion detection signature from a local 
signature repository in communication with a remote signature repository; and 

receiving the application-specific intrusion detection signature from the local 
signature repository. 

43. (currently amended) A machine-readable storage medium embodying machine 
instructions for causing one or more processors to perform operations comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application , wherein cxaminina the set of instructions comprises applyinu a hash 
function to the set of instructions to generate a condensed representation and comparing 
the condensed representation with existing condensed representations for known 
applications : 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 

monitoring network conmiunications for the invoked application for appUcation- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 
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44. (cancelled) 

45. (currently amended) The machine-readable storage medium of claim 43, wherein 
network communications are monitored for application-specific intrusion signatures that 
correspond to the identified invoked application. 

46. (currently amended) The machine-readable storage medium of claim 43, further 
comprising unloading the application-specific intrusion signatures corresponding to the 
identified invoked application when the identified invoked application is terminated. 

47. (currently amended) The machine-readable storage medium of claim 43, further 
comprising tracking one or more characteristics of the network communications to 
identify application-specific abnormal communication behavior. 

48. (currently amended) The machine-readable storag e medium of claim 47, wherein 
tracking one or more characteristics of the network communications comprises 
comparing the one or more characteristics with one or more configurable thresholds. 



49. (currently amended) The machine-readable storage medium of claim 47, wherein 
monitoring network communications comprises monitoring network communications in a 
network intrusion detection system component invoked with the invoked appUcation. 
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50. (currently amended) The machine-readable storage medium of claim 49, wherein the 
network intrusion detection system component and the invoked application run within a 
single execution context. 

51. (currently amended) The machine-readable storage medium of claim 43, further 
comprising operations to provide an application-specific remedy for a detected intrusion. 



